Re: [webauthn] What does "the extension was acted upon" mean for the AppID extension?

>Saying RP will always know whether credential was created with U2F or not will not be correct in the future where U2F credentials will be created using webauthn APIs which will use RPID instead of AppId.

It will remain correct in the sense that the AppID needs to be used if and only if the credential was created via  the U2F _API_. The RP does know (or at least, it's within the RP's power to know) if a given credential was created with the U2F API or the WebAuthn API.

And even if the RP doesn't know this, that doesn't matter much in practice - the RP does definitely know whether it requested the `appid` extension, so if it did and the verification against RP ID fails, it can simply try verifying against that AppID and see if that works instead.

So as far as I'm concerned it doesn't matter much which of the two options we choose, but I think we need to precisize this since the behaviour is evidently underspecified.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/982#issuecomment-404136043 using your GitHub account

Received on Wednesday, 11 July 2018 11:26:26 UTC